It is a standard pattern not only in Liferay code, but in general to rely on "instanceof" when checking the type of the exceptions to control what to happen next. Since AuthenticatedSessionManager#login doesn't have a return value, the exception-based logic is a reasonable (or the only?) choice to support wide range of flows and to account the possible errors they can generate.
Because of this, I think it is a valid requirement towards our dev tutorial to indicate this when presenting the custom code. For example, we could refer back to the OOTB LoginMVCActionCommand and tell developers to examine that logic if they want to handle the different errors the right way.